SlideShare uma empresa Scribd logo

Flipping the script

Transferir como PPTX, PDF
Chris Nickerson
Chris Nickerson

Having been a Penetration Tester for the last 15+ years I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’ve never even heard of and the agony of defeat on a major scale. Instead of just going over the what we used to work our way in, I want to go over the tricks the BLUE team used to keep us out! We will go over the technologies and techniques that have turned our traditional paths to root from minutes to months and the tricks that got us “caught” along the way. Not all pentests are a dream and the nightmares CAN / DO happen. So, let’s talk about how YOUR environment can become an attackers worst nightmare instead of their favorite playground

Tecnologia
1 de 54
Flipping the Script Becoming your attackers boogeyman
HI…I’m Chris
I’m Chris AKA @indi303 cnickerson@laresconsulting .com https://vimeo.com/laresconsulting http://www.scribd.com/Lares_ Exoticliability.com
www.lares.com
Custom Services OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I can’t write down…
http://www.verizonenterprise.com/resources/reports/rp_dat a-breach-investigation-report-2015_en_xg.pdf
• 80,000 security incidents and more than 2,000 data compromises from 61 countries. • The top three industries affected are the same as previous years: Public,Technology/Information, and Financial Services. • In 70% of the attacks where we know the motive for the attack, there’s a secondary victim • 23% of recipients now open phishing messages and 11% click on attachments
22
23 The common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people
What do we do to try and DEFEND? Buy stuff ▪ Firewalls ▪ WAF ▪ IDS/IPS ▪ AV ▪ SIEM ▪ Etc… Test our stuff ▪ Conduct Audits ▪ Do “PenTests” ▪ Vuln scanning? ▪ Hire 3rd parties ▪ Hire industry “Experts”
And what happens? WE STILL GET HACKED ALLTHETIME!!!!!!!!
Stories from the OTHER SIDE When attackers DON’T WIN! Because your infosec is FORCE is STRONG
The following things are a brief view of how customers have DEFENDED their networks and made it HURT for us.
GOOD SECURITY PROGRAMS ARE BUILT IN AND NOT BOLT ON
External Defenses Sounds cool if you buy them and actually use them.
Rule #1 DON’T TALK TO STRANGERS ▪ Implemented blocks from all emerging threats lists ▪ Honeypots that if SCANNED or traffic was sent to, that IP was blocked. FORGOOD. ▪ External SIEM integration that correlated logins. *Magic* the same address tries more than 3 usernames in an APP or SMPT it is banned for a certain time, if it happens after timeout, its banned for good ▪ Constant monitoring and baseline analysis of open ports. If it changed, a SEV1 ticket was created. ▪ Port scanning bans. ▪ Injection Bans ▪ Rejection of specific user agent strings ( most tools out there have specific UA strings. ▪ Test it all until BLOCK modeWORKS! Monitor mode will just make you feel bad when u go back to your logs and seeWHEN you got owned ▪ Big data like a boss. DOTHREAT INTEL IN HOUSE!!!! ▪ Protect yourOSINT ( anonymize info like DNS records)
Quick fixes Tons of free stuff out there to get you started. ▪ External honeypot Network http://threatstream.github.io/mhn/ ▪ Drupal honeypot: https://www.drupal.org/project/honeypot ▪ External honeypot starter https://www.binarydefense.com/project- artillery/ ▪ Tools to monitor open ports https://github.com/subinacls/Filibuster ▪ Wordpress honeypots http://leadin.com/plugins/wordpress- honeypot ▪ Use the Emerging threats lists and other threat intel feeds http://rules.emergingthreats.net/ ▪ Check your osint / attack surface and threat landscape http://www.spiderfoot.net/
Phishing is for kids
#2 If you are going to talk, be sure u know who it is ▪ Disable SMTP verify/validation ▪ Mailer verification ( USE SPF) ▪ Use Mail filtering solutions that can intercept ALL mail protocols Encrypted and unencrypted ▪ Strict enforcement of Site Classification ▪ Analysis of certificate age and domain age “marination” ▪ Inspect all attachments and disallow all attachments except for a very specific set which have mitigating controls at the host or can be used in a sandboxed viewer. ▪ Browser based controls whitelisting 3rd party loaders like java, flash etc… ( or disabling all together) ▪ Verification of sender identity ▪ USE DNS ANALYSIS ▪ Don’t forward DNS. Split DNS is not hard
Quickies ▪ Enable SPF ▪ Implement spamcop and other blocking lists https://www.spamcop.net/fom-serve/cache/291.html https://www.spamhaus.org ▪ Implement a Mail inspection gateway Preferably cloud and local ▪ Check security setting of SMTP/SPF/DNS http://mxtoolbox.com/diagnostic.aspx http://www.dnssy.com/ ▪ Create Split DNS don’t allow forwarding and use only the validated internal resolver. http://shorewall.net/SplitDNS.html ▪ Create automated Phishing reporting process in client or train users on process to submit ▪ Phish the users, test them, train them. And UPDATE your new hire training to include how to defend.
Internal Defenses They ARE gonna get in, so knowing that WHAT U GONNA DO ABOUT IT?
#3 Your internal network is a HOSTILE environment. Treat it as such ▪ Monitor inside MORE than outside. ▪ Portscan inside = Block and SEV1 IR response ▪ Segmentation of all servers from users. ▪ Create Classified zones,These will require 2 factor auth to a Jump box. Only jump box will be allowed to get into secured zone. Or CreateVPN from user desktop directly into the Environment ▪ NEVER useVPN Pools.Always tie a user to a specific ip address and firewall rule limitALL users to resources needed. ▪ Alert on ALL network device configuration change IMMEDIATELY. ▪ Use Netflows or other traffic analysis to identify top talkers and tune to find future anomalies ▪ Set up “HoneyNets” ▪ LOCK DOWNYOUR CONFIGS!!!!!!! ▪ Remove your default route and intercept all HTTP/S
Quick hits ▪ Set up your AV to disallow/ban anything port scanning ▪ Segment and firewall protect ALL servers from user segments ▪ Tune internal IDS to look for port scans and inappropriate user to server traffic. Also to identify protocols that shouldn’t be used (ex. DNS traffic to things other than the registered internal DNS) ▪ Enable config monitoring on ALL network Devices http://www.rconfig.com/ ▪ Restrict network device management to only validated addresses of network engineers OR setup mgmt. network that Engineers MUST vpn into. ▪ Monitor all ports open and look for changes. http://sourceforge.net/p/dnmap/wiki/Home/ distributed nmap ▪ Audit your configs https://github.com/pello/routerdefense https://www.titania.com/nipperstudio
Workstations are for WORK
#4 Users have the ability to use the companies resources. ▪ Only ad user accounts through secured methods. DO NOT USE GPO’s that have cPassword or add accounts with cleartext values. ▪ Users should only be allowed to go to categorized sites.Any/all other traffic must be denied. ▪ Whitelist approved and managed software. ▪ Disallow Local admin privs ▪ Do NOT let local admins to log on remotely ▪ Randomize ALL local admin passwords ▪ Maintain internal software reports for updates ▪ Manage all the things ▪ Host based firewalls, IDS, and behavioral analysis ▪ SCANALL HOSTS for vulnerabilities on a regular basis
Quickies ▪ Manage local admin passwords with a commercial solution or some of the open sources. Microsoft LAPS https://technet.microsoft.com/en-us/library/security/3062591.aspx ▪ Create GPO’s to whitelist or blackist services ▪ Remove admin rights ▪ Deploy anti exploitation defenses EMET https://support.microsoft.com/en-us/kb/2458544 ▪ Harden your devices. Linux, AIX, BSD, Etc.. hardening https://cisofy.com/lynis/ Windows: Microsoft Baseline Security Analyzer ▪ Enable hardening locally with detection and protection http://www.fail2ban.org/ and windows firewall + AV ▪ Use Authenticated Scans to inventory software , find non compliant software and define hardening. ▪ Harden default images
It’s a SERVER... Make it serve you.
#5 Servers have a specific purpose ▪ Do not install workstation software on a SERVER. Office,Adobe Acrobat….etc. ▪ Most of them do NOT need to connect to the internet. Not only does this mean NO access with firewall it means, unless the product would require an exception… NO BROWSER! ▪ Manage updates centrally and in house ▪ Segment, Segment, Segment….. SEGMENTTHE DAMNED SERVERS!!!!!!! ▪ Standard image should have NO additional services installed and build guidelines should be followed before release.
Quickies ▪ Remove all non essential services from servers RIGHT AWAY.They will run faster and more secure. ▪ Disallow install of any readers,office type programs or all workstation software in server hardening policy. ▪ Run FullAV on EVERY server. ▪ If you can’t get ids.ips for your servers try opensource like OSSEC http://www.ossec.net/ ▪ Use DLP https://code.google.com/p/opendlp/ ▪ Disallow all non authenticated services. ▪ Do not allow the use of local accounts to log in remotely ( that includes you SQL!!! No local sql accounts.. Integrate it) ▪ Make sure all report to the SIEM for security and login events.
#6 Awareness > Knowledge ▪ Create Securiy Event Management Environments ▪ Implement logging on ALL servers and eventually specific workstation events. ▪ Consolidate logging ▪ Have packet capture capabilities on the fly in ALL areas
Quick hits ▪ Set up IDS/IPS and have it report to a consolidated platform http://blog.securityonion.net/p/securityonion.html https://www.bro.org/ ▪ Set up logging and have it report to a consolidated platform http://www.splunk.com/en_us/products/splunk-light.html http://blog.qbox.io/welcome-to-the-elk-stack-elasticsearch- logstash-kibana ▪ Make it easy for yourself. Help correlate from multiple sources. https://bammv.github.io/sguil/
Get your IR game in order
#7 In order to say you have an information security program you need to have an Incident response plan. ▪ Humans must be assigned to this plan and the tasks in it ▪ Security response center must have defined plans, SOP’s, and most of all a fully capable SLA to the business on risk response/identification ▪ Active defenses to stop attack in progress ▪ Forensic/ malware analysis on the fly and manual ▪ Coordination with all teams to have real time response. ▪ Defined skillsets of all team members to be sure the right skill for project.
Quick ways? ▪ Build a proper IR team. Define skills and roles to be played ▪ Setup an IR action group ( from all of IT and the business) ▪ Create defined IR plans that can be run as part of DR plans ▪ Build an IRTeam Sandbox toolkit / lab https://zeltser.com/build-malware-analysis-toolkit/ ▪ Build an Incident response platform http://blog.crowdstrike.com/new-community-tool-crowdresponse/ https://github.com/google/grr http://techblog.netflix.com/2015/05/introducing-fido-automated- security.html
We don’t just say it WE PROVE IT Yep..That’s right…. We will prove it for FREE.Throw a card in the basket in the back and we will set up a few hours to show you what its like to have a REAL attacker in your network.
Want to talk more….. Challah =) Darren Davis ddavis@lares.com Chris Nickerson cnickerson@lares.com

Recomendados

Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)
Chris Nickerson
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDC
scriptjunkie
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
scriptjunkie
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
scriptjunkie
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 

Recomendados

Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)
Chris Nickerson
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDC
scriptjunkie
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
scriptjunkie
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revival
scriptjunkie
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Eric Kolb
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
Greg Foss
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
Anant Shrivastava
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Cyber Security Alliance
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
Tiago Henriques
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
Luis Grangeia
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Kirill Ermakov
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
Joe McCray
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 

Mais conteúdo relacionado

Mais procurados

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 

Mais procurados (20)

Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...Let’s play the game. Yet another way to perform penetration test. Russian “re...
Let’s play the game. Yet another way to perform penetration test. Russian “re...
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 

Semelhante a Flipping the script

Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
PROIDEA
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
Indus Khaitan
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 

Semelhante a Flipping the script (20)

Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptx
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web Vulnerability
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Flipping the script

  • 1. Flipping the Script Becoming your attackers boogeyman
  • 2.
  • 3.
  • 6.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. Custom Services OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I can’t write down…
  • 18.
  • 19.
  • 21. • 80,000 security incidents and more than 2,000 data compromises from 61 countries. • The top three industries affected are the same as previous years: Public,Technology/Information, and Financial Services. • In 70% of the attacks where we know the motive for the attack, there’s a secondary victim • 23% of recipients now open phishing messages and 11% click on attachments
  • 22. 22
  • 23. 23 The common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people
  • 24.
  • 25. What do we do to try and DEFEND? Buy stuff ▪ Firewalls ▪ WAF ▪ IDS/IPS ▪ AV ▪ SIEM ▪ Etc… Test our stuff ▪ Conduct Audits ▪ Do “PenTests” ▪ Vuln scanning? ▪ Hire 3rd parties ▪ Hire industry “Experts”
  • 26. And what happens? WE STILL GET HACKED ALLTHETIME!!!!!!!!
  • 27.
  • 28. Stories from the OTHER SIDE When attackers DON’T WIN! Because your infosec is FORCE is STRONG
  • 29. The following things are a brief view of how customers have DEFENDED their networks and made it HURT for us.
  • 31. External Defenses Sounds cool if you buy them and actually use them.
  • 32. Rule #1 DON’T TALK TO STRANGERS ▪ Implemented blocks from all emerging threats lists ▪ Honeypots that if SCANNED or traffic was sent to, that IP was blocked. FORGOOD. ▪ External SIEM integration that correlated logins. *Magic* the same address tries more than 3 usernames in an APP or SMPT it is banned for a certain time, if it happens after timeout, its banned for good ▪ Constant monitoring and baseline analysis of open ports. If it changed, a SEV1 ticket was created. ▪ Port scanning bans. ▪ Injection Bans ▪ Rejection of specific user agent strings ( most tools out there have specific UA strings. ▪ Test it all until BLOCK modeWORKS! Monitor mode will just make you feel bad when u go back to your logs and seeWHEN you got owned ▪ Big data like a boss. DOTHREAT INTEL IN HOUSE!!!! ▪ Protect yourOSINT ( anonymize info like DNS records)
  • 33. Quick fixes Tons of free stuff out there to get you started. ▪ External honeypot Network http://threatstream.github.io/mhn/ ▪ Drupal honeypot: https://www.drupal.org/project/honeypot ▪ External honeypot starter https://www.binarydefense.com/project- artillery/ ▪ Tools to monitor open ports https://github.com/subinacls/Filibuster ▪ Wordpress honeypots http://leadin.com/plugins/wordpress- honeypot ▪ Use the Emerging threats lists and other threat intel feeds http://rules.emergingthreats.net/ ▪ Check your osint / attack surface and threat landscape http://www.spiderfoot.net/
  • 35. #2 If you are going to talk, be sure u know who it is ▪ Disable SMTP verify/validation ▪ Mailer verification ( USE SPF) ▪ Use Mail filtering solutions that can intercept ALL mail protocols Encrypted and unencrypted ▪ Strict enforcement of Site Classification ▪ Analysis of certificate age and domain age “marination” ▪ Inspect all attachments and disallow all attachments except for a very specific set which have mitigating controls at the host or can be used in a sandboxed viewer. ▪ Browser based controls whitelisting 3rd party loaders like java, flash etc… ( or disabling all together) ▪ Verification of sender identity ▪ USE DNS ANALYSIS ▪ Don’t forward DNS. Split DNS is not hard
  • 36. Quickies ▪ Enable SPF ▪ Implement spamcop and other blocking lists https://www.spamcop.net/fom-serve/cache/291.html https://www.spamhaus.org ▪ Implement a Mail inspection gateway Preferably cloud and local ▪ Check security setting of SMTP/SPF/DNS http://mxtoolbox.com/diagnostic.aspx http://www.dnssy.com/ ▪ Create Split DNS don’t allow forwarding and use only the validated internal resolver. http://shorewall.net/SplitDNS.html ▪ Create automated Phishing reporting process in client or train users on process to submit ▪ Phish the users, test them, train them. And UPDATE your new hire training to include how to defend.
  • 37. Internal Defenses They ARE gonna get in, so knowing that WHAT U GONNA DO ABOUT IT?
  • 38. #3 Your internal network is a HOSTILE environment. Treat it as such ▪ Monitor inside MORE than outside. ▪ Portscan inside = Block and SEV1 IR response ▪ Segmentation of all servers from users. ▪ Create Classified zones,These will require 2 factor auth to a Jump box. Only jump box will be allowed to get into secured zone. Or CreateVPN from user desktop directly into the Environment ▪ NEVER useVPN Pools.Always tie a user to a specific ip address and firewall rule limitALL users to resources needed. ▪ Alert on ALL network device configuration change IMMEDIATELY. ▪ Use Netflows or other traffic analysis to identify top talkers and tune to find future anomalies ▪ Set up “HoneyNets” ▪ LOCK DOWNYOUR CONFIGS!!!!!!! ▪ Remove your default route and intercept all HTTP/S
  • 39. Quick hits ▪ Set up your AV to disallow/ban anything port scanning ▪ Segment and firewall protect ALL servers from user segments ▪ Tune internal IDS to look for port scans and inappropriate user to server traffic. Also to identify protocols that shouldn’t be used (ex. DNS traffic to things other than the registered internal DNS) ▪ Enable config monitoring on ALL network Devices http://www.rconfig.com/ ▪ Restrict network device management to only validated addresses of network engineers OR setup mgmt. network that Engineers MUST vpn into. ▪ Monitor all ports open and look for changes. http://sourceforge.net/p/dnmap/wiki/Home/ distributed nmap ▪ Audit your configs https://github.com/pello/routerdefense https://www.titania.com/nipperstudio
  • 41. #4 Users have the ability to use the companies resources. ▪ Only ad user accounts through secured methods. DO NOT USE GPO’s that have cPassword or add accounts with cleartext values. ▪ Users should only be allowed to go to categorized sites.Any/all other traffic must be denied. ▪ Whitelist approved and managed software. ▪ Disallow Local admin privs ▪ Do NOT let local admins to log on remotely ▪ Randomize ALL local admin passwords ▪ Maintain internal software reports for updates ▪ Manage all the things ▪ Host based firewalls, IDS, and behavioral analysis ▪ SCANALL HOSTS for vulnerabilities on a regular basis
  • 42. Quickies ▪ Manage local admin passwords with a commercial solution or some of the open sources. Microsoft LAPS https://technet.microsoft.com/en-us/library/security/3062591.aspx ▪ Create GPO’s to whitelist or blackist services ▪ Remove admin rights ▪ Deploy anti exploitation defenses EMET https://support.microsoft.com/en-us/kb/2458544 ▪ Harden your devices. Linux, AIX, BSD, Etc.. hardening https://cisofy.com/lynis/ Windows: Microsoft Baseline Security Analyzer ▪ Enable hardening locally with detection and protection http://www.fail2ban.org/ and windows firewall + AV ▪ Use Authenticated Scans to inventory software , find non compliant software and define hardening. ▪ Harden default images
  • 43. It’s a SERVER... Make it serve you.
  • 44. #5 Servers have a specific purpose ▪ Do not install workstation software on a SERVER. Office,Adobe Acrobat….etc. ▪ Most of them do NOT need to connect to the internet. Not only does this mean NO access with firewall it means, unless the product would require an exception… NO BROWSER! ▪ Manage updates centrally and in house ▪ Segment, Segment, Segment….. SEGMENTTHE DAMNED SERVERS!!!!!!! ▪ Standard image should have NO additional services installed and build guidelines should be followed before release.
  • 45. Quickies ▪ Remove all non essential services from servers RIGHT AWAY.They will run faster and more secure. ▪ Disallow install of any readers,office type programs or all workstation software in server hardening policy. ▪ Run FullAV on EVERY server. ▪ If you can’t get ids.ips for your servers try opensource like OSSEC http://www.ossec.net/ ▪ Use DLP https://code.google.com/p/opendlp/ ▪ Disallow all non authenticated services. ▪ Do not allow the use of local accounts to log in remotely ( that includes you SQL!!! No local sql accounts.. Integrate it) ▪ Make sure all report to the SIEM for security and login events.
  • 46.
  • 47. #6 Awareness > Knowledge ▪ Create Securiy Event Management Environments ▪ Implement logging on ALL servers and eventually specific workstation events. ▪ Consolidate logging ▪ Have packet capture capabilities on the fly in ALL areas
  • 48. Quick hits ▪ Set up IDS/IPS and have it report to a consolidated platform http://blog.securityonion.net/p/securityonion.html https://www.bro.org/ ▪ Set up logging and have it report to a consolidated platform http://www.splunk.com/en_us/products/splunk-light.html http://blog.qbox.io/welcome-to-the-elk-stack-elasticsearch- logstash-kibana ▪ Make it easy for yourself. Help correlate from multiple sources. https://bammv.github.io/sguil/
  • 49. Get your IR game in order
  • 50. #7 In order to say you have an information security program you need to have an Incident response plan. ▪ Humans must be assigned to this plan and the tasks in it ▪ Security response center must have defined plans, SOP’s, and most of all a fully capable SLA to the business on risk response/identification ▪ Active defenses to stop attack in progress ▪ Forensic/ malware analysis on the fly and manual ▪ Coordination with all teams to have real time response. ▪ Defined skillsets of all team members to be sure the right skill for project.
  • 51. Quick ways? ▪ Build a proper IR team. Define skills and roles to be played ▪ Setup an IR action group ( from all of IT and the business) ▪ Create defined IR plans that can be run as part of DR plans ▪ Build an IRTeam Sandbox toolkit / lab https://zeltser.com/build-malware-analysis-toolkit/ ▪ Build an Incident response platform http://blog.crowdstrike.com/new-community-tool-crowdresponse/ https://github.com/google/grr http://techblog.netflix.com/2015/05/introducing-fido-automated- security.html
  • 52.
  • 53. We don’t just say it WE PROVE IT Yep..That’s right…. We will prove it for FREE.Throw a card in the basket in the back and we will set up a few hours to show you what its like to have a REAL attacker in your network.
  • 54. Want to talk more….. Challah =) Darren Davis ddavis@lares.com Chris Nickerson cnickerson@lares.com

Notas do Editor

  1. Who we are
  2. Code review
  3. Incident response
  4. Risk Assessment
  5. Physical security
  6. PenTesting
  7. Red Teaming
  8. To my stupid ppt